The cloudy state of mobile security

In the October issue, Greg Lane and I discussed the mobility revolution underway and its consequences for government. We also underscored the considerable importance of privacy and security in realizing positive change both organizationally and for society as a whole. As governments look to cloud systems and mobility devices as platforms for collaboration and innovation, there is no greater priority for 2012.

Consider the emergence this past year of the Apple iCloud. Apple is first and foremost a proprietary-driven company, designing and maintaining its own operating system as a platform for products such as iPods, iPhones, and most recently the iPad. What the iCloud does is synchronize the usage of all such products (including Mac computers of course) via a common platform for storage and processing that is housed online (within the confines of Apple’s “private cloud” if you will).

Since Apple does not provide large-scale systems to government, the impacts of this evolution may be largely indirect in the short-term as the iCloud is directed toward the consumer market of Apple product users. Yet there are nonetheless important implications, three of which we look at here.

First, as John Breeden recently pointed out in Government Computer News, the advent of the iCloud denotes a potentially significant expansion of the usage and credibility of the cloud as a concept for wider segments of the public (just as the iPhone has done much to democratize Internet access to mobile devices). As more people gravitate to Apple’s cloud, this concept will likely gain wider understanding and acceptance (further reinforced by existing cloud platforms of Google, Facebook and others).

Already it bears noting that Apple’s hugely successful bridging of its proprietary platforms with a partially open community of “apps” developers has resulted in likeminded efforts by many governments to create a similarly open community of contributors.

Second – and much to the chagrin of Research in Motion – a growing cadre of government workers in many jurisdictions are embracing the iPhone and iPad as mobile devices that transcend personal and professional usage. Indeed, the one time infallible security advantages of the Blackberry network are evermore rivalled in this regard by Apple’s operating system, Google’s open source variant, the Android operating system, and the new collaborative venture between Microsoft and Nokia (all of which underpin a widening assortment of smart phone and tablet devices).

As a recent 2011 report by the Michigan-based Ponemon Institute points out (Seven Tips for Securing Mobile Workers), large organizations must think seriously about an overall enterprise architecture for privacy and security that accounts for not only internal operating systems making use of cloud components, but also an array of external devices. Imposing the choice of digital devices is no longer an option: thus, standards, accountability and training are crucial to balancing openness and flexibility with appropriate information safeguards.

Of course, with respect to Apple product users, an important layer of security and redundancy is now virtualized via their proprietary cloud. This evolution also carries benefits and drawbacks for organizations: on the plus side, Apple is as sophisticated as they come in storing data and safeguarding infrastructure; on the other hand, users may be lulled into a false sense of “security” that carries over into workplace behaviour.

Indeed, a recent study by the Conference Board of Canada found that Canadians are anything but vigilant online in terms of information security practices, and the situation is worsening across social media sites. Another Ponemon study in 2010, for example, revealed that two-thirds of social media users partake without setting high levels of privacy and security: while 80 percent of respondents apparently expressed concern about online security, more than half admitted to not taking any measures whatsoever.

Governments must therefore shift beyond the language of rights and choice in trumpeting individual freedom online. Just as more is expected of corporations and governments, legally and morally, in safeguarding information assets, this same notion of responsibility and accountability must be extended to the citizenry at large. For now, it seems the message is not getting through, with cloud systems and mobile devices inadvertently fostering passiveness even as the stakes are escalating.

Third and finally, government’s clout as a large and strategic consumer of technology systems and devices, coupled with its role as regulator of industry-wide behaviour, create important leverage to promote greater openness and interoperability across otherwise separate proprietary cloud systems and product platforms. As the iCloud takes hold – along with numerous other private, public and hybrid clouds – openness, interoperability and interdependence must be guiding principles for government action both within their jurisdictions and collectively across increasingly porous borders.

Jeffrey Roy is Professor of Public Administration at Dalhousie University (roy@dal.ca).

About this author

Jeffrey Roy is Professor in the School of Public Administration at Dalhousie University’s Faculty of Management. He is a widely published observer and critic of the impacts of digital technologies on government and democracy. He has worked with the United Nations, the OECD, multinational corporations, and all levels of government in Canada. He has produced more than eighty peer-reviewed articles and chapters and his most recent book was published in 2013 by Springer: From Machinery to Mobility: Government and Democracy in a Participative Age. Among other bodies, his research has been funded by the IBM Center for the Business of Government and the Social Sciences and Humanities Research Council of Canada. He may be reached at: roy@dal.ca